On Mon, 06 Jun 2016, thierry bordaz wrote:



On 06/06/2016 11:07 AM, Alexander Bokovoy wrote:
On Mon, 06 Jun 2016, thierry bordaz wrote:
Hello,

 In DS it is possible to register callbacks for extended op.
 For https://www.ietf.org/rfc/rfc3062.txt (password modify extop),
 there is a default callback that is implemented in DS core server.
 Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config'
 that also register a callback ipapwd_extop/ipapwd_chpwop, for that
 same extop.

 The server calls the callbacks until it can find one that can handle
 the OID. But the order is not guaranty.
 So the extop can be handled either by password_extop or either by
 ipapwd_chpwop.

 Those two functions are not doing the same checking/updates.

 I would like to confirm if in Freeipa context, if only
 ipapwd_extop/ipapwd_chpwop should be called
Correct. I think we have also added plugin priority to allow handling
this type of conflicts gracefully.



The order of the plugins, is based on nsslapd-pluginprecedence.
(The lower precedence is called first)

The problem is that ipapw_extop and password_extop have the same precedence: 50. So the order they are selected basically rely on order they were registered. "Password Modify extended operation plugin" (core server) is registered before "IPA Password Extended Operation plugin". I think we need to add a precedence of "IPA Password Extended Operation plugin" to be sure it will be selected over "Password Modify extended operation plugin"

In addition https://fedorahosted.org/389/ticket/48770 changed the way plugins are selected so even setting a precedence is currently not a solution (I opened https://fedorahosted.org/389/ticket/48870)

In short we need to fix https://fedorahosted.org/389/ticket/48870


Regarding item 5.4, replacing a compat entry with its related real entry.
I think there is something missing. In fact the extop is doing an internal MOD but before calling the MOD it checks the entry exists. And if called against a 'compat' entry the extop fails before calling the MOD. But even if it was successfull it may be not be a good idea to make 'Schema Compat' preop-mod doing the mapping 'compat' -> real for all MODS.
given that schema compat is read-only (always), you can do remapping all
the time. We have this mapping already for password checks, how is this
different?

A option is to change "IPA Password Extended Operation plugin" to do this mapping 'compat' -> 'real' but it is looking like a hack.
Yes, it is unacceptable.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to